in

Government Intervention in Cyber Security: Where We’ve Come From, Where We’re Going, and How to Keep Up

Written by Jamie Akhtar, CEO and co-founder of CyberSmart

The past decade has seen cybersecurity transformed from a relatively obscure subset of the tech world, to a major player in the modern cultural, corporate and geopolitical landscape. From the prospect of cyber-warfare, to devastating cyberattacks such as the Colonial Pipeline incident – cybersecurity is now an inescapable facet of our daily lives.

As the cybersecurity landscape has evolved, so has the UK government’s attitude towards it. Said evolution can be tracked through the three instalments of the Government Cyber Security Strategy, issued in 2011, 2016 and 2022 respectively.

The most recent instalment, perhaps unsurprisingly, is the most significant so far. Not only does the report set out the most significant policy changes yet, it redefines the governmental and legislative approach to cybersecurity. But before we get to that, it’s worth taking a brief look at the story so far.

So…

How did we get here?

Although today’s digital landscape is almost unrecognisable from that in which the initial instalment was drafted, many of the key objectives, initiatives and ideas in 2011’s report  echo throughout its successors.

Arguably the main impact of the 2011 report was codifying and confirming the UK government’s commitment to cybersecurity development. The objectives alone show that the government recognised the importance of cybersecurity in an increasingly digitalised world, expressing a desire for: 

  • The UK to tackle cyber crime and be one of the most secure places in the world to do business in cyberspace
  • The UK to be more resilient to cyber attacks and better able to protect our interests in cyberspace
  • The UK to help shape an open, stable and vibrant cyberspace which the UK public can use safely and that supports open societies
  • The UK to have the cross-cutting knowledge, skills and capability it needs to underpin all our cybersecurity objectives

In an effort to achieve these goals, £650 million in funding was dedicated to improving the UK’s security posture. By the time 2016 came around, this figure had ballooned to £860 million, further exemplifying the government’s commitment to the cyber-cause. Funding was directed mainly towards education and incentives. Money was poured into initiatives such as cybersecurity apprenticeships, research programmes and general awareness campaigns.

The 2016 Cyber Strategy brought with it a greater emphasis on regulation and the foundation of the National Cyber Security Council (NCSC). While it is by no means the most significant facet of the report, regulation plays a much larger role in the 2016 report compared to its predecessor. Even so, whenever regulation is mentioned, it’s always with the caveat “if necessary” or “the right mix of regulation and incentives”. This is significant because by 2022, regulation would become a core element of the UK’s Cyber Security Strategy.

The increased prominence of regulation as part of the government’s approach to cybersecurity is indicative of the cyber landscape at large. While there were significant cyberattacks carried out prior to 2016, it wasn’t until the latter half of the decade that we saw incidents with the scale and scope of NotPetya or, in the early days of the following decade, the Colonial Pipeline attack. With the potentially catastrophic impact of cybercrime made painfully clear, the government resorted to implementing regulatory measures. .

Where are we going?

This year’s National Cyber Security Strategy report is significant for several reasons. Not least has the report swelled to almost two thirds the size of its predecessor, and well over twice the length of the initial instalment, but it indicates an unprecedented shift in the government’s attitude toward cybersecurity. 

In July 2021, months before the release of the 2022 report, the Cabinet Office published a report entitled “Global Britain in a Competitive Age: the Integrated Review of Security, Defence, Development and Foreign Policy”. The significance of cybersecurity being included in such a report notwithstanding, the policy paper is most notable because it contains the first use of the term “cyber power”. Six months later, the government would double down on its desire to become a cyber power, making it a core objective of the National Cyber Security Strategy 2022.

But what does the term really mean?

The government defines cyber power as “the ability to protect and promote national interests in and through cyberspace,” but the term is not only used in this context. The UK has expressed its desire to increase its cyber power, in order to become a cyber power. While this may seem like mere semantics, it indicates a significant change not only in the UK’s attitude towards cybersecurity, but a paradigm shift in the cybersphere at large.

The term reflects global anxieties about the as yet unrealised threat of a devastating “cyber war”. Said anxieties were intensified by Russia’s invasion of Ukraine, with the two countries firing several digital potshots at one another as the conflict developed.

As cyberattacks and cybersecurity increasingly make their mark on the world stage, the UK government is no longer content with its original objectives. Resilience and innovation is no longer satisfactory – with the cybersecurity industry on the cusp of a major transformation, the UK has recognised the need to get ahead, so it doesn’t fall behind.

In conjunction with the UK’s desire to become a cyber power is its new “holistic” approach to cybersecurity. This approach is an indicator of the government’s recognition that every facet of society has a part to play in the cybersecurity of a country – initiatives with a narrow scope leave vast openings that bad actors can, and will, take advantage of.

A great example of this in practice, was the NCSC’s guidance for businesses released following the invasion of Ukraine. This grounded distant, geopolitical conflict in the everyday for the UK’s small businesses and reiterated the point that the UK’s cyber posture is only as good as its weakest link.

While this is a major step forward for cybersecurity policy, it’s understandable, given the vast amount of information in the report, that UK businesses may be feeling some concern in regards to their security posture.

How do you keep up?

Fortunately, the UK government and NCSC does recognise that the onus placed on the cybersecurity of the private sector can be an overwhelming responsibility, and provides a wealth of support.

  • The Industry 100 Initiative is the NCSC’s principle initiative to facilitate close collaboration between the public and private sector. It entails private companies sending employees to work on-loan with the NCSC as an information sharing scheme – returning with the know-how required to keep pace with government initiatives.
  • Cyber Essentials, while initiated way back in 2014, remains one of the most important schemes for UK businesses struggling with their security posture. The scheme identifies the core security controls and best practices a business must have in place to mitigate the risk of a cyber incident. Research has even shown that a Cyber Essentials certification reduces the risk of attack by 98.5%.
  • Resources are available on the NCSC website advising SMEs on how they can improve their security posture – 10 Steps to Cyber Resilience is a particularly comprehensive guideline.
  • The government has highlighted the need for UK business, particularly SMEs, to play a role in establishing the UK as a cyber power – the heightened risk associated with the conflict in Ukraine makes this an even more pressing issue. For SMEs looking for peace of mind as the war continues, the NCSC offers guidance on how UK businesses can protect themselves and play their role in bolstering the country’s cyber power.

Although it may be a natural reaction, SMEs shouldn’t be intimidated by the incoming policy changes. It’s important to view cybersecurity as a necessary and normal aspect of business function. Think of it like health and safety requirements, or taxes.

The path to cyber resilience doesn’t need to be costly or time consuming. Making use of the resources available to you now will likely protect you from devastating consequences later.

Leave a Reply

Your email address will not be published. Required fields are marked *

Vicon Hires Haim Shain as Senior VP, Product Management to Lead the Strategic Development and Deployment of Vicon’s Next-Gen Solutions

Shooter Detection Systems to Showcase Gunshot Detection Solutions to the ASIS Community at the Georgia World Congress Center